TLSv1.3 and Agent Client CollectorSummary<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } TLSv1.2 and TLSv1.3 are the latest versions of the Transport Layer Security (TLS) protocol, which is essential for secure online communication. Introduced in 2008, TLSv1.2 enhanced encryption compared to earlier versions. TLSv1.3, finalised in 2018, further improves security and performance by streamlining the handshake process and eliminating outdated cryptographic methods. While TLSv1.2 remains a secure option, TLSv1.3 is now considered the most secure and efficient choice. According to NIST SP 800-52 Revision 2, Section 4.1, the client must be configured to use TLS 1.2 and should be set up to use TLS 1.3. The client can be configured to use TLS 1.1 and TLS 1.0 for compatibility with private sector servers but must not use SSL 2.0 or SSL 3.0. TLS 1.3 support is required after 01/01/2024, after which clients must be configured for TLS 1.3. Generally, clients with TLS 1.3 support should also allow TLS 1.2, however TLS 1.3 may be disabled where it is not required for interoperability. Contextualising NIST SP 800-52 for ACC and the MID Server NIST’s suggestion that TLS 1.1 and TLS 1.0 is OK in private networks would cater to legacy applications, TLS 1.0 and TLS 1.1 are not supported by the Go APIs used by the ACC agent and are disabled on the MID Server by default. We’ll consider them ‘banned’ for this experiment. TLS 1.2 is required for communication from to your ServiceNow instance. TLS 1.3 can be enabled on your instance by via a NowSupport case (“Please enable TLSv1.3 on ‘myinstance’”) but this is not the default configuration at the time of writing (September ‘25) – see KB0563633 Preferred protocol: TLSv1.3Allowed protocols: TLSv1.2, TLSv1.3Banned protocols: TLS 1.1, TLS 1.0, SSL 2.0, SSL 3.0 Let’s see how the default configuration aligns with this standard. Facts<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } TLS 1.3 is enabled by default in Java 17, which has been included as the bundled JDK (OpenJDK 17) with the MID Server since the Washington DC release.The agent and MID Web Server automatically negotiate the highest available TLS protocol version. If TLSv1.3 is available, it is selected over TLSv1.2.As a result, most ACC deployments operate using TLSv1.3 by default. Release<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } This information applies to Washington DC and later releases. Instructions<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } How can I confirm that TLS1.3 is in use? Wireshark can be used to inspect the network packets between the MID Server and the ACC Agent. Wireshark would need to be installed on either the client (agent) or server (MID) or you could follow KB1443986 to capture a network trace file for analysis on another machine. Here’s a short guide:Scenario details: MID Server IP = 192.168.100.7, MID Web Server Port = 8080 Start a packet capture and restart the ACC service.Allow the ACC service to connect to the MID Server (check acc.log)Stop the capture and (if using a trace file) open the packet capture using WiresharkIf the MID Web Server listens on a port other than 443 you’ll need to let Wireshark know it can decode the packets as TLS. Open ‘Decode As..’: Analyze > Decode As.. (Ctrl+Shift+U)Configure a new entry in this table with the following options: Field: TCP portValue: [MID Web Server Port]Current: TLS Click the ‘Save’ button. Filter for TLS Handshakes to/from the MID Server For example, I’d use the filter: ‘ip.addr == 192.168.100.7 && tls.handshake’ Open a Server Hello packet from the MID and inspect the decoded packet. Test #1 – Default configuration on a Yokohama MID Server (Java 17): Packet capture shows TLSv1.3 is the only protocol offered by the MID Server. Test #2 – Setting jdk.tls.server.protocols in wrapper-override.conf:jdk.tls.server.protocols=TLSv1.2,TLSv1.3The server always offers the most recent TLS version to the client, the screenshot looks the same as above. Test #3 - Misconfiguration where TLSv1.3 has been disabled: jdk.tls.server.protocols=TLSv1.2 The server continues to offer TLS1.3 - this is good because TLSv1.3 should be used wherever possible (NIST SP 800-52 Rev.2, pg 8) but it also indicates that the MID Web Server might not respect this property. Test #4 – Blacklisting TLSv1.3:jdk.tls.server.protocols=TLSv1.2jdk.tls.disabledAlgorithms=TLSv1.3 (+defaults) [jre security setting] For this experiment we’ve disabled TLSv1.3 using the JRE’s security settings to force a TLS 1.2 connection. The ACC agent offered both TLSv1.2 and TLSv1.3 as supported protocols (see client hello – not pictured), because we blacklisted TLSv1.3 using java.security the MID Server negotiated a TLSv1.2 connection, the differences in the Server Hello packet have been highlighted below. Test #5 – Blacklisting TLSv1.2: You're unable to disable TLSv1.2 on the MID Server without affecting MID to Instance communication. Enforcement of TLSv1.3 between the MID Server and ACC Agent can be achieved by configuring a load-balancer between the Agents and MID Servers, KB2537468 offers instruction on configuring the open-source HAProxy load-balancer with TLSv1.3 enforced. Analysis Summary The MID Server & ACC Application are compliant 'out-of-the-box' with the guidance in NIST SP 800-52 Revision 2, Section 4.1.The agent and MID Web Service automatically negotiate the highest available TLS protocol version. If TLSv1.3 is available, it is selected over TLSv1.2. Note: Protocols older than TLS 1.2 were not tested because they are not supported by the ACC agent and are disabled on Java 17 Related Links<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf FAQs: Q1: If I’m on Washington DC or newer do I have to configure the MID Web Server to use TLSv1.3? A1: TLSv1.3 is enabled by default in Java 17 so there is no need to take further action.Q2: Microsoft says that only Windows 11 and Server 2022 support TLS 1.3. Does this mean my ACC agents on earlier versions of Windows will not be able to connect using TLS 1.3 and do I need to host the MID Server on a newer version of Windows?A2: No, this guidance does not apply, as the MID Server and ACC client application do not use the Windows TLS API (Schannel). You can disregard the Microsoft recommendation in the context of ACC.Q3: Does this apply to other applications which use the MID Web Server such as Event Management? A3: The server-side behaviour is consistent for other applications using the MID Web Server. Third-party clients may negotiate TLSv1.2, you will need to conduct your own testing to validate this. Q4: How can I enforce TLS 1.3 for communication between ACC Agents and the MID Server? A4: To enforce TLS 1.3 for ACC to MID communication, you should set up an HTTP Proxy or Load Balancer. Detailed instructions for configuring HAProxy with appropriate TLS settings can be found in KB2537468. Disabling TLS 1.2 on the MID Server is not recommended, as it remains essential for compatibility with most ServiceNow instances and other MID Server applications that use outbound HTTP requests.